An introduction to GDPR
The information in this article is for general guidance only. The application and impact of GDPR can vary wildly on a case-to-case basis. As such, this document is NOT a substitute for consulting with professional legal advisers.
The General Data Protection Regulation (GDPR) was adopted in April 2016 and became enforcable on May 25th 2018.
This regulation is designed to provide EU citizens with better control over their personal data, and requires any company which stores and uses the personal data of EU citizens to take steps to protect that data and e.g. make it available for the user to download.
Personal data is any information relating to a person who can be identified directly or indirectly, such as ”(...)a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Furthermore, personal data may only be collected if a user consents to it. A consent is a ”freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Consents must consist of clear, concise and granular positive opt-ins such as:
- Consent to receive newsletters
- Consent to using previous purchases to show personalized suggestions
Or in other words; the user must be informed about precisely which data you want to use, why you are collecting it, and what you want to use it for, and must actively elect to give consent to that activity – a consent cannot be collected using e.g. pre-ticked boxes or other methods for default consent.
Again, don’t take our word for it - please consult a legal professional.
GDPR & Dynamicweb
To be GDPR compliant, you typically need to handle four tasks:
- Create concise and granular opt-ins
- Collect consents based on the opt-ins
- Check for consents when doing stuff, like sending emails
- Make user data available for download in frontend
- Opt-ins are called consent activities and are created using the Data Processing app
- Consents for an activity is collected using either the Extranet or the Forms for Editors apps and an be viewed using the Data Processing app
- Consents can be checked and updated when using Email Marketing – or by using the ConsentManager
- User data can be made available for download using the Data Portability app
Bear in mind that you don’t have to use these tools to be GDPR compliant – consents collected via other sources (e.g. phonecalls) – can simply be stored in a set of custom fields. The Data Processing app is simply a convenient tool for storing consents which are obtained using our system.
If you store email-consents in custom fields, you will have to uncheck these custom fields on unsubcribes – this can be done via the Dynamicweb users recipient provider settings.